CISSP (Domain 3 - Information Security Governance and Risk Management)

Question 1

4 Item for a Business Model for Information Security

OPPT

Answer 1

• Organization Design/Strategy
• People
• Process
• Technology

Question 2

6 Interconnections for a Business Model in Information Security
(GCEEHA)

Answer 2

• Governance
• Culture
• Enablement & Support
• Emergence
• Human Factors
• Architecture

Question 3

Corporate Governance

Answer 3

Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, objectives achieved.

Question 4

Plan Do Check Act (PDCA)

E/IO/MR/MI

Answer 4

Approach to continuous process improvement

• Establish ISMS
• Implement/Operate ISMS
• Monitor/Review ISMS
• Maintain/Improve ISMS

Question 5

ISO 27001 (Governance)

Answer 5

PDCA model to structure the processes, and reflects the principals set out in the OECD guidelines

• How to implement

Question 6

ISO 27002 (Governance)

Answer 6

AKA ISO 17799, basic outline of hundreds of potential controls and control mechanisms

• What should be secured

Question 7

3 Goals of a Security Model
(long/mid/short)
(STO)

Answer 7

• Long Term: Strategic Goals (supported by med/short term, all PCs on VPN)
• Mid Term: Tactical Goals (Put in domains, add Firewalls)
• Short Term: Operational Goals (Patches)

Question 8

Due Care

Answer 8

• *Do Connect
• Do the right thing and protect assets
• Functional Requirements

Question 9

Due Diligence

Answer 9

• *Do Detect
• Senior Management
• Investigate actual threats and risks (Determine Risk Exposure)
• Assurance Requirements

Question 10

CIA Triad

Answer 10

• Confidentiality: Prevent unauthorized disclosure of sensitive information
• Integrity: Prevent unauthorized modification of systems and information
• Availability: Prevent disruption of service and productivity

Question 11

Confidentiality (CIA Triad) - Threats and Solutions

Answer 11

Threats:

• Hackers
• Malicious Software
• Social Engineering
• System Failure/Employee Error

Solutions:

• Identification
• AuthN
• AuthZ

Question 12

Integrity (CIA Triad) - Threats and Solutions

Answer 12

Threats:

• Hackers
• Malicious Software
• Social Engineering
• System Failure/Employee Error

Solutions:

• Least Privilege
• Separation of Duties (SoD), prevents collusion
• Rotation of Duties (Mandatory Vacation)

Question 13

Availability (CIA Triad) - Threats and Solutions

Answer 13

Threats:

• Deliberate Attacks
• System Failure/User Error
• Natural Disasters

Solutions:
- Redundancy

Question 14

3 Reasons Why We Have Security Policies

OSR

Answer 14

• Objective/Goal or Purpose
• Scope
• Responsibility

Question 15

What is a Security Policy

Answer 15

General statement products by senior management/board/committee to dictate what type of role security plays within the organization.

Question 16

Security Policy Document Relationship

Drivers/MgmtSS/MgmtSD

Answer 16

• Drivers: Laws, Regulations, Best Practices
  Program or Organizational Policy
• Managements Security Statement: Program/Organizational Policy
• Managements Security Directive: Functional Policies (issue and system specific)
  + standards/procedures/baselines/guidelines

Question 17

NIST SP 800-12: Program Policy

Answer 17

Programs security policy driving by Laws/Regulations/Best Practices. Large scope

Question 18

NIST SP 800-12: Issue-Specific Policies

Answer 18

Addresses specific security threats management feels need more detailed explanation and attention.

Ex: Acceptable use of resources agreement, e-mail policy where management can read your email

Question 19

NIST SP 800-12: System-Specific Policies

Answer 19

Includes two components: Security Objectives and Operational Security Rules.

Usually only on one system

Ex. Payroll and HR can only modify Payroll system

Question 20

Regulatory Policy

Answer 20

Government ordinance, all who fall under must comply

Question 21

Advisory Policy

Answer 21

NOT mandated by law. Company puts in place on self.

Question 22

Informative Policy

Answer 22

Educate who reads the policy.

Ex: No smoking in the aircraft

Question 23

4 Functions for Support Policies

SBPG

Answer 23

• Standards
• Baselines
• Procedures
• Guidelines

Question 24

Standards - Supporting Policies

Answer 24

• Binding

- Common practice all adhere to (RHEL only)

Question 25

Baselines - Supporting Policies

Answer 25

• Binding
• Min level of protection and security
• Password length 8 characters

Question 26

Procedures - Supporting Policies

Answer 26

• Binding

- Set of instructions to meet policy

Question 27

Guidelines - Supporting Policies

Answer 27

• non-binding
• Recommendation or suggestion to improve the overall quality of a policy
• Use ISO/ITIL

Question 28

3 C’s of Data Classification

Answer 28

• Cost Value: Identified during risk analysis
• Classify: Organize according to sensitivity to loss or disclosure (Priority)
• Control: Data segmented into sensitivity levels (Level)

Question 29

4 Commercial Data Classification Types

CPSP

Answer 29

• Confidential
• Private
• Sensitive
• Public

Question 30

4 Military Data Classification Types

TSCU

Answer 30

• Top Secret
• Secret
• Confidential
• Unclassified

Question 31

Difference Between Data Owner and Data Custodian

Answer 31

Data owner directs the data custodian on how to protect the data

Question 32

Data Owners Responsibilities (2 things)

Answer 32

• Level of priority/classification to a resource. (what makes it special)
• Define level of protection of asset at the priority

Question 33

Data Custodian Responsibilities (2 things)

Answer 33

• Implement controls that meet the level of protection needed
• Maintain the data and monitor

Question 34

Risk Management (IAR)
(RA/RM/CE)

Answer 34

The process of identifying, analyzing, and reducing the risk to an acceptable level.

• Risk Assessment
• Risk Mitigation
• Controls Evaluation

Question 35

Risk Assessment

Answer 35

Identification of companies assets, associated risks, and potential loss the organization could suffer.

Question 36

Asset - Risk Management

Answer 36

Any resource with value to the organization

Question 37

Threat - Risk Management

Answer 37

Potential danger to an asset

Question 38

Threat-Source/Threat-Agent - Risk Management

Answer 38

Anyone/thing that has the potential to cause threat

Question 39

Vulnerability - Risk Management

Answer 39

Flaw or weakness of an asset

Question 40

Risk

Answer 40

Likelihood of a threat agent taking advantage of a vulnerability

Question 41

Exposure

Answer 41

An opportunity for a threat to cause loss (Firewall ports opened)

Question 42

Event/Exploit

Answer 42

Instance of loss experienced

Question 43

Loss

Answer 43

Real or perceived devaluation of an asset

Question 44

Controls (2 types)

Answer 44

• Technical and nontechnical risk mitigation mechanisms (Safeguards/Countermeasures)
• Good controls reduce exposure

Question 45

Safeguards

Answer 45

Preventative (proactive, avoid)

Question 46

Countermeasures

Answer 46

Detective and corrective (reactive, respond)

Question 47

4 Steps to Perform Risk Analysis

WC/HB/LR/HR

Answer 47

• What could happen
• How bad would it be (loss)
• Likelihood to be realized (chance)
• How real are they

Question 48

NIST 800-30: Risk Assessment Activities (9 Steps)

SC/TI/VI/CA/L/IA/R/CR/D

Answer 48

• System Characterization (identify systems)
• Threat ID
• Vulnerability ID
• Control Analysis
• Likelihood (Will it happen)
• Impact Analysis (loss?)
• Risks
• Control Recommendations
• Documentation

Question 49

Quantitative - Risk Approach

Answer 49

Assigning numeric/monetary values to risk ($$$$)

Question 50

Qualitative - Risk Approach

Answer 50

Subjective rating assigned, opinion based,

Question 51

Delphi Method - Risk Approach

Answer 51

People can express their ideas anonymously

Question 52

Annualized Loss Expectancy (ALE)*

Tornado damage 50% of facility. Worth 200,000. Once in 10 years

Answer 52

SLE x ARO = ALE

Tornado damage 50% of facility. Worth 200,000. Once in 10 years

SLE: 200,000 x .50 = 100,000
ARO: 1/10 = .1 (remember x in # of years)

100,000 x .1 = 10,000 in countermeasures

Question 53

Single Loss Expectancy (SLE)*

Answer 53

Asset Value (AV) x Exposure Factor (EF) = SLE

Question 54

Annualized Rate of Occurrence (ARO)*

Answer 54

Value that represents the estimated possibility of a specific threat taking place

Question 55

Exposure Factor (EF)

Answer 55

Percentage of asset loss caused by threat

Question 56

Residual Risk

Answer 56

Risk after countermeasures or safeguards

Total Risk - Acceptable Risk = Residual Risk

Question 57

Total Risk

Answer 57

Exposure before control put in place

Question 58

Acceptable Risk

Answer 58

What “C” are ok with

Question 59

Control Gap

Answer 59

Risk between Total Risk and Acceptable risk

Question 60

3 Risk Mitigation Options(RTA)

Answer 60

• Reduce
• Transfer
• Accept

Question 61

Cost-Benefit Analysis Formula

Tornado

• 10k Asset
• 1k deductible
• 2k year policy

Answer 61

Value of the control of the company

Tornado

• 10k Asset
• 1k deductible
• 2k year policy

ALE Before - ALE After - Annual Cost of Control

10k - 1k - 2k = 7k cost benefit

Question 62

Security Awareness Training

Answer 62

• Employees wont follow them unless they know about them
• Employees must know expectations and ramification if not met
• Employee recognition award program
• Part of due care
• Administrative control

Question 63

2 Approaches to Security Management

TD/BU

Answer 63

• Top-Down: Senior management directed (ISC^2)

- Bottom-Up: IT defines